Virus Alert! Klez worm attacks anti-virus programs!

Virus Alert! New Klez worm attacks anti-virus programs!

This question was answered on April 17, 2002. Much of the information contained herein may have changed since posting.

---

A new variation of the Klez worm is in wide distribution

The worm has its own e-mail engine for mass mailing itself to others and has modified code that let it get past and disable many popular anti-virus programs In addition, because it can also spread to shared drives on local area networks or LANs, entire corporate networks can become infected by a single computer on the LAN.

WHAT IT DOES...

The worm arrives in an e-mail message with an attachment that, in many cases, doesn't need the recipient to open it in order to run Instead, it takes advantage of a year-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on unpatched versions of Outlook (Make sure you have the latest security patches for your Microsoft products by going to the 'Product Updates' link at >http://windowsupdate.microsoft.com</b>.)

Once activated, the worm will find any network storage available on the infected computer and copy itself to any remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension

The worm will also gather e-mail addresses by searching a host of different file types on the infected system and using its own e-mail engine, the worm will send itself to those addresses In addition, it will use the addresses to create a fake "From:" field in the e-mail message, disguising the actual source of the e-mail

Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.

WHAT TO WATCH FOR:

The worm arrives in an e-mail message with one of 120 possible subject lines and a completely random message body.

According to the Symantec AntiVirus Research Center (SARC.com), the subject line can be one of the following:

Undeliverable mail--"[Random word]"

Returned mail--"[Random word]"

a [Random word] [Random word] game

a [Random word] [Random word] tool

a [Random word] [Random word] website

a [Random word] [Random word] patch

[Random word] removal tools

how are you

let's be friends

darling

so cool a flash,enjoy it

your password

honey

some questions

please try again

welcome to my hometown

the Garden of Eden

introduction on ADSL

meeting notice

questionnaire

congratulations

sos!

japanese girl VS playboy

look,my beautiful girl friend

eager to see you

spice girls' vocal concert

japanese lass' sexy pictures

****The random word will be one of the following:

new

funny

nice

humour

excite

good

powful

WinXP

IE 6.0

W32.Elkern

W32.Klez.E

Symantec

Mcafee

F-Secure

Sophos

Trendmicro

Kaspersky

In order to be protected from this new strain of Klez, you must update your anti-virus programs definition file with a date of 04/17/02 or later.

WHAT TO DO IF YOU CONTRACT THIS WORM

If this worm is activated in your system, in most cases you will not be able to start your anti-virus program Once this worm has executed, it can be difficult and time consuming to remove The procedure that you must use to do this varies with the operating system

You can get step-by-step instructions from the SARC website at:<a href="http://www.sarc.com/avcenter/venc/data/[email protected]#removalinstructions" target="_blank">>http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html#removalinstructions</a>

About the author

Posted by Ken Colburn of Data Doctors on April 17, 2002

Need Help with this Issue?

We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!